and also on behalf of a number of individual Dutch users of Facebook, Instagram and WhatsApp, i.e. Mrs. Quirine Eijkman, based in Amsterdam, and Mr. Menso Heus, based in Amsterdam. These organisations and individuals are actively engaged in the public discussion about the fundamental right to protection of private life and the protection of personal data.

These fundamental rights are enshrined in the European Convention for Human Rights, in the European Charter of Fundamental Rights of the European Union and in all national constitutions and legislation of the Member States of the European Union, including the Netherlands. The basic principles of the protection for personal data are set out in the EU Data Protection Directive,[2] which must be interpreted in the light of the fundamental rights guaranteed by the EU Charter.[3] In its case law, the European Court of Justice has emphasised the importance of these rights.[4]

In its judgment of 6 October 2015, the European Court of Justice invalidated the Safe Harbour Decision of the European Commission regarding the transfer of personal data from the European Union to the United States. This judgment is effective immediately. Any continued transfer of personal data to the United States based upon this Safe Harbour Decision is unlawful with immediate effect. This was confirmed by the Article 29 Working Party[5] and by the European Commission.[6]

The European Court of Justice found that Facebook transferred personal data obtained in the European Union to the United States for further processing, relying on the Safe Harbour Decision for this mass transfer.

The European Court of Justice invalidated the Safe Harbour Decision because the legislation of the United States fails to ensure a level of protection essentially equivalent to that guaranteed in the legal order of the European Union.[7] In particular, legislation permitting the United States’ authorities to have access on a generalised basis to the content of electronic communications is regarded as compromising the essence of the fundamental right to respect for private life. Furthermore, data subjects from the European Union currently have no administrative or judicial means of redress in the United States, which would enable them to access, rectify or erase the data relating to them. These issues are not resolved yet.

To date, Facebook has not participated in the public debate on these issues. Facebook just stated that the judgment ‘is not about Facebook’ and that ‘Facebook has done nothing wrong’.

Following the Schrems-judgment, Facebook Ireland Ltd. entered into an agreement with Facebook Inc. based on the Standard Contractual Clauses drafted by the European Commission in 2010. Thus, it would appear that Facebook continues its activities unchanged, including transfer of personal data of data subjects from the European Union to the United States. This applies to all of the services of the Facebook concern, including Facebook, Instagram and WhatsApp. However, the use of Standard Contractual Clauses is no longer possible, as these clauses do not resolve the fundamental problems identified by the European Court of Justice in Schrems.

Should Facebook wish to rely on explicit consent of individual users of Facebook, Instagram and WhatsApp, this will not be sufficient either. European data subjects have not given prior, explicit and unambiguous consent[8] to Facebook to grant the United States’ authorities access on a generalised basis to the content of their communications, without any means of redress. And even if data subjects would give such consent, that option would be flawed. Consent needs to be specific and informed and freely given.

From our point of view, there is currently no basis to legally transfer personal data of data subjects from the European Union to the United States. The only solution to this issue is that the United States’ legislator enacts legislation which (a) limits storage and access of the public authorities in the United States of personal data transferred from the European Union to the United States and (b) provides for legal redress for data subjects from the European Union.[9] Until such solution is found, no personal data can legally be transferred from the European Union to the United States.

We invite Facebook to publicly engage in a meaningful and transparent dialogue aimed at finding such solution, and to pressure the authorities to find such solution. Facebook is invited to publicly share its current and intended policies and practice on data transfer. This applies to the services of Facebook, WhatsApp and Instagram and to any other services the Facebook–group offers.

On behalf of our clients, we request – and to the extent legally required we summon – all Facebook entities to end the current unlawful transfer of personal data from the European Union to the United States until the moment that the legislation of the United States is amended in order to provide for a level of protection essentially equivalent to that guaranteed in the legal order of the European Union. Please provide this assurance ultimately by Friday 15 January 2016 (18:00 CET).

If we cannot find an amicable solution and Facebook does not refrain from further transfer of personal data of data subjects from the European Union to the United States by then, we reserve the right to initiate legal proceedings[10] in the Netherlands and to request a preliminary injunction from the competent Dutch Court.